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1.  Introduction 

Although  formal  models  have  contributed  to  our  understanding  of 
capability-based  protection  systems,  they  have  been  properly  criticized 

, 

for  concentrating  on  the  movement  of  "authority"  or  "access  privilege" 
i within  the  system,  rather  than  on  the  movement  of  the  Information.  For 

example,  the  Take/Grant  Model  [1,23  describes  the  exact  conditions  under 
which  a particular  user  can  get  the  authority  to  access  a file.  If  the 
conditions  are  satisfied,  then  the  user  can  access  the  information.  But 
if  they  are  not  satisfied,  it  does  not  follow  that  the  user  cannot  get  at 
the  information.  There  may  be  some  way  to  transfer  the  information  with- 
out the  user  ever  getting  direct  authority  to  access  it.  The  Take/Grant 
Model  gives  no  information  and  other  models  are  similarly  mute. 

In  this  paper  we  take  a modest  step  towards  elucidating  the  problem. 
Specifically,  we  distinguish  between  two  types  of  information  acquisition*: 

de  jure  (DJ)  acquisition  means  a user  acquires  information  by 
invoking  direct  authority  within  the  capability  system; 

de  facto  (DF)  acquisition  means  a user  acquires  information,  usually 
with  the  assistance  of  others,  without  necessarily  acquiring 
the  direct  authority  to  access  it  within  the  capability  system. 

Thus,  de  jure  acquisition  implies  de  facto  acquisition,  but  not  vice  versa. 

This  distinction  can  be  Illustrated  diagramatically . In  Figure  la, 

the  users  have  read  and  write  capabilities  (r,w)  to  their  personal  files. 

User  Abel  also  has  "take"  authority  over  user  Baker.  This  latter  authority 

allows  Abel  to  take  the  read  access  authority  to  File  2 from  Baker  — an 

action  that  would  result  in  the  diagram  shown  in  Figure  lb.  Abel  can  now 

*Our  use  of  de  jure , "rightful,  by  right"  [5]  and  de  facto  "(existing)  in 
fact,  whether  by  right  or  not"  [5]  is  intended  to  avoid  the  pejorative 
connotations  of  the  authorized/unauthorized  distinction. 


3. 


invoke  this  read  authority  resulting  in  a de  jure  acquisition. 

Figure  2 illustrates  a situation  when  two  users  have  "read"  and 
"write"  capabilities  to  their  personal  files  as  well  as  a common  mail 
box  file.  Baker  can  request  that  user  Charlie  write  the  information  from 
File  3 into  the  mail  box.  Assuming  Charlie  complies  fully.  Baker  can  then 
read  the  information  from  the  mail  box  resulting  in  de  facto  acquisition. 

Baker  never  has  the  "read"  capability  to  File  3 although  he  can  read  a 
copy  of  it.  Having  the  capability  to  read  a file  and  being  capable  of 
reading  a copy  of  it  are  not  the  same  thing  because  (a)  the  latter  relies 
on  the  transmission  of  a complete  and  accurate  copy  and  (b)  any  updates 
to  File  3 are  not  automatically  reflected  in  the  copy.  We  use  a dashed 
line  to  denote  the  de  facto  transmission. 

Obviously,  more  complex  situations  can  arise.  In  the  graph  formed 
by  combining  Figures  la  and  2a,  we  can  illustrate  both  types  of  transfer. 

In  Figure  3,  Abel  takes  the  "read"  capability  to  the  mail  box.  Then, 
after  Charlie  writes  File  3 into  the  mail  box,  perhaps  in  the  belief  that 
he  is  making  it  available  only  to  Baker,  Abel  can  make  a de  facto  acquisition. 

Our  objective  in  this  paper  is  to  characterize  the  use  of  de  facto 
and  de  jure  acquisition  in  a protection  system.  Since  de  jure  acquisition 
is  already  well  understood  in  the  Take/Grant  Model,  we  build  on  that  under- 
standing to  develop  conditions  under  which  information  can  be  transferred 
by  de  facto  transfers  only  or  by  a combination  of  de  facto  and  de  jure 
transfers. 

We  shall  organize  our  presentation  as  follows.  (Note  that  no  previous 
knowledge  of  the  Take/Grant  System  is  presumed.) 


Section  2: 
Section  3: 
Section  4: 
Section  5: 


Definition  of  the  model  and  the  class  of  de  facto  rules. 
Characterization  of  de  facto  acquisition, 

De  jure  acquisition  and  previous  results. 
Characterization  of  combined  de  facto  and  de  jure 
acquisition. 


The  final  section  is  devoted  to  a summary  and  discussion. 


r,w 


/ 


(c) 


figure  3: 


Combination  of 
transfers. 


de  jure  and 
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2.  De  Facto  Information  Transfers 

As  suggested  in  the  previous  section,  a capability-based  protection 
system  will  be  modeled  by  a finite  directed  graph  called  a protection 
graph.  The  vertices  of  the  graph  will  be  of  two  types:  subjects  (denoted 
by  •)  will  represent  "active"  entities  such  as  users,  and  objects  (denoted 
by  o)  will  denote  "passive"  entities  such  as  files.  (There  are  ususally 
many  other  entities  in  a system,  e.g.  load  modules,  directories,  etc., 
that  are  hard  to  categorize  by  such  vague  terms  as  "active"  or  "passive." 

One  might  argue  that  a load  module  is  "active"  in  the  sense  that  it  could, 
when  executed,  cause  Information  to  move.  Alternatively,  if  one  knows  that 
the  module  is  "secure,"  i.e.  doesn't  disseminate  information,  it  might  be 
called  "passive."  These  and  other  interpretations  depend  upon  what  system 
is  being  modeled,  and  because  of  our  general  approach,  they  are  beyond  the 
scope  of  this  study.  We  simply  provide  two  classes  of  entities  and  depend 
on  the  user  to  make  the  appropriate  classification  for  his  system.) 

The  edges  between  the  vertices  are  labeled  with  elements  from  a finite  set 
R of  rights.  For  specificity,  we  use  R * {r,w,t,g},  mnemonic  for  read,  write, 
take  and  grant.  (Other  rights  could  be  included,  but  we  regard  this  as  a 
minimal  set.)  The  edge  from  vertex  a to  vertex  b 

labeled  by  some  a c R indicates  that  within  the  protection  system,  a has 
the  a rights  to  b.  This  edge  is  called  an  explicit  edge. 

I.i  addition  to  these  solid  edges,  we  will  use  dashed  edges  (labeled  by 
an  r)  to  represent  de  facto  acquisitions.  These  edges  are  called  implicit 
edges.  They  are  not  actually  part  of  the  protection  graph  since  they 
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represent  Information  that  is  not  part  of  the  protection  system.  But  we 
add  them  to  the  protection  graph  for  pedogogical  reasons  to  specify  the 
existence  of  a potential  de  facto  transfer. 


In  the  Introduction  we  illustrated  how  information  might  be  trans-  ■ 
ferred  in  a system  by  means  of  a mail  box  construction,  but  may  be  other 
means  as  well.  We  identify  four  distinct  methods  of  de  facto  acquisition 
and  formulate  them  as  rewriting  rules  on  protection  graphs.  (Note,  in  the 
following  definitions  "edge"  refers  to  either  an  explicit  or  implicit 
edge.  In  the  diagrams,  ® denotes  a vertex  that  can  be  either  a subject 
or  object,  edge  labels  may  contain  additional  rights,  set  braces  are  elided.) 


Post:  Let  x,  y and  z be  distinct  vertices  of  a protection 
graph  G such  that  x and  z are  subjects.  Let  there  be 
an  edge  from  x to  y labeled  a,  r e a,  and  an  edge  from  z 
to  y labeled  0 , w e 0 . Then  post  defines  a new  graph  G' 
with  an  implicit  edge  from  x to  z labeled  r.  Graphically, 


x y z x y z 


Pass:  Let  x,  y and  z be  distinct  vertices  in  a protection 
graph  G such  that  y is  a subject.  Let  there  be  an  edge 
from  y to  x labeled  by  a,  w e a,  and  an  edge  from  y to 
z labeled  by  0 , r e 0 . Then  pass  defines  a new  graph 
G'  with  an  implicit  edge  from  x to  z labeled  r. 
Graphically, 


Spy: 


Let  x,  y and  z be  distinct  vertices  in  a protection 
graph  G such  that  x and  y are  subjects.  Let  there  be  an 
edge  from  x to  y labeled  a,  r e a,  and  an  edge  from  y to  z 
labeled  0 , r c 0 . Then  the  spy  rule  defines  a new  graph 
G'  with  an  implicit  edge  from  x to  z labeled  r. 
Graphically,  we  write 

r 


=> 


/ 
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i 

t 

| Find:  Let  x,  y and  z be  distinct  vertices  in  a protection 

i graph  G such  that  y a:id  z are  subjects.  Let  there  be 

an  edge  from  y to  x labeled  a,  w e a,  and  an  edge  from 
z to  y labeled  0 , w e 0 . Then  find  defines  a new  graph  G' 
with  an  implicit  edge  from  x to  z labeled  r.  Graphically, 

> _ __  r 

' w _ w - ' w _ w"'^ 

x y z x y z 

We  will  refer  to  these  rules,  collectively,  as  the  DF  rules. 

The  rules  are  intended  to  abstract  possible  ways  in  which  information 
can  be  read  in  a system  by  the  cooperative  effort  of  one  or  more  subjects. 
The  subjects  invoke  authority  that  they  own  within  the  system  ( de  jure 
acquisition)  in  order  to  effect  de  facto  transfer.  This  transfer,  or 
more  accurately,  the  potential  for  this  transfer,  is  summarized  by  the 
implicit  edge  from  x to  z,  labeled  r.  We  can  then  apply  these  rules  to  a 
protection  graph  (see  example  below)  to-  summarize  the  de  facto  transfer 
in  the  entire  system. 

i Clearly,  the  Post  rule  abstracts  the  operation  described  in  the  Intro- 

duction. In  the  Pass  rule  y acts  as  a conduit  through  which  data  travels 
from  z to  x.  The  Spy  rule  abstracts  the  case  where  y reads  data  from  z 
and  x "watches"  y read  the  data.  More  often,  however,  it  is  used  to 
"compose"  transfers  (see  graph  G^  in  the  example  below).  The  Find  rule 
abstracts  the  case  where  z deposits  data  in  y and  y in  turn  passes  it 
along  to  x. 

We  regard  these  four  rules  as  a representative  sample  of  the  potential 
de  facto  transfers  that  might  arise  in  a protection  system.  In  some  actual 
systems  only  a subset  of  these  transfers  might  be  possible  while  in  other 
systems  there  may  be  transfers  not  captured  by  these  rules.  In  either 
case  the  development  that  follows  may  have  to  be  modified.  Our  purpose  is 
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Co  illustrate  how  the  Take/Grant  Model  can  be  used  to  assess  the  potential 
de  facto  transfers  of  a protection  system. 

Finally,  note  that  we  have  concerned  ourselves  only  with  the  trans- 
fer of  information  to  x via  read.  We  might  also  have  considered  trans- 
mission of  information  from  x by  the  addition  of  rules  that  add  edges 
labeled  with  a "w."  We  shall  discuss  this  apparent  limitation  in  Section  6. 

The  rewriting  rules  enable  us  to  illustrate  the  potential  de  facto 
transfers  by  augmenting  a given  protection  graph  G with  new  implicit  edges. 
Let  Gg  be  the  protection  graph 


and  consider  whether  or  not  p can  read  q.  We  note  that  the  Post  transfer 
rule  matches  so  it  can  be  applied  where  the  variables  of  the  rule  defini- 
tion (x,y,z,a  and  0)  match  p,s,t,{r}  and  {w},  respectively.  Thus,  we 
summarize  the  potential  for  this  transfer  by  adding  an  implicit  edge  from  p to  t 
labeled  r.  The  result  is  G^. 


Usually,  we  denote  such  a rule  application  by  G. 


G.. 


O'post  1 

The  sequence  of  rule  applications  that  illustrate  that  p could 
acquire  the  contents  of  q are  illustrated  below. 


4 t*~*r*r~ 
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So  we  conclude  that  there  is  a potential  for  de  facto  transfer  to  p. 

Note  that  all  of  these  added  edges  are  implicit  — they  do  not  represent 
added  authority,  only  potential  de  facto  access. 

Tortuous  though  the  example  may  be,  it  illustrates  that  rather  complex 
transfers  can  be  realized.  It  is  just  as  important  (perhaps  more  important) 
to  know  what  de  facto  transfers  cannot  be  realized.  For  example,  it  is 
not  possible  for  p'  to  read  q by  a transfer  along  the  "lower"  path  in  G . 
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This  is  because  of  the  two  consecutive  objects  which  form  a "barrier"  to 
indirect  transfer.  (See  Theorem  3.1.) 

. To  illustrate  another  subtlety,  note  that  t plays  a pivotal  role 

in  the  transfer.  We  might  have  tried  to  skip  past  t by  applying  the 
Find  rule  to  G^. 


r 


But  s is  an  object,  and  our  rule  definitions  do  not  permit  the 
application  of  a Spy  to  define  a read  edge  from  p to  u.  One  might  argue 
that  a Spy  should  be  allowed  here  because  the  s-to-u  read  edge  is  implicit 
and  thus  s receives  the  information  passively.  Subjecthood  appears  restric- 
tive. Our  decision  to  force  the  second  vertex  in  a Spy  rule  to  be  a 
subject  guarantees  the  existence  of  an  agent  when  needed.  It  will  be 
clear  from  our  results  that  this  limitation  is  not  serious. 

Finally,  we  must  make  one  cautionary  remark  concerning  the  interpre- 
tation of  protection  graphs.  This  is  a general  study  that  will  be  applica- 
ble (we  hope)  to  a wide  class  of  protection  systems.  As  such  we  must 
consider  all  protection  graphs  even  if  they  do  not  have  a sensible  interpre- 
tation in  the  context  of  a particular  protection  system.  For  example,  we 

allow  constructs  such  as  o — k>  in  our  protection  graphs.  If  one 

thinks  of  objects  as  files,  this  may  be  meaningless.  But  if  objects 
include  "secure"  processes,  then  this  is  more  reasonable.  We  cannot  limit 
a priori  the  class  of  interpretations,  so  we  allow  for  any  protection  graph 
consistent  with  our  original  definitions. 


\ 
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3.  The  Conditions  of  De  Facto  Transfer 

Having  abstracted  potential  de  facto  transfers  as  a set  of  four  rewriting 
rules  and  having  illustrated  that  these  rules  compose  in  complex  ways,  we 
now  formulate  an  exact  statement  of  what  it  means  for  a potential  de  facto 
transfer  to  exist  within  the  model.  This  will  be  done  by  defining  a predicate 
can' know 'f(p,q,G)  of  three  parameters.  The  predicate  is  true  if  vertex 
p of  G can  acquire  the  information  from  vertex  q of  G by  some  sequence  of 
rule  applications.  Then,  we  define  conditions  on  G that  determine  when 
the  predicate  is  true. 

Define  for  a protection  graph  Gq  and  arbitrary  distinct  vertices 
p and  q of  G^ 

can* know f(p,q,G)  to  be  true  if  and  only  if  there  exists  a 

sequence  of  graphs  G,,...,G  (n  > 0)  such  that  G..,  follows 

1 n i+l 

from  G.  by  one  of  the  DF  rules  0<i<n  and  in  G there  is  a 
i n 

p-to-q  edge  labeled  r. 

Thus,  the  predicate  can'knowfi. p,q,G^)  is  true  if  and  only  if  de  jure 
authority  exists  or  an  implicit  edge  from  p-to-q  can  be  added  by  means  of 
the  four  DF  rules. 


Now,  we  formulate  conditions  under  which  can-knowf  holds.  To  aid 
in  this  endeavor,  define  an  rw-path  in  a protection  graph  G as  a sequence 
of  distinct  vertices  Vq,v^,...,v^  (k  > 1)  such  that  v^  is  connected  to 
vi+  by  an  edge  (in  either  direction)  labeled  with  r or  w (or  both)  for 
all  i,  0£i<k.  We  say  that  the  rw-path  is  between  v^  and  v^.  For  example, 
in  the  graph 


r 


-KH 

t 


the  sequence  s,t,u,v  is  an  rw-path. 


13. 


Not  all  rw-paths  will  permit  de  facto  transfer  of  information. 

(For  example,  s,t,u,v  above  does  not!)  So  we  limit  our  attention  to  a 

certain  subset  of  them.  To  do  this,  we  associate  with  each  rw-path  one 

■<*  . 

or  more  words  over  the  alphabet  (r,r,w,w)  in  the  obvious  way;  for  example, 
the  sequence  s,t,u,v  given  above  has  associated  words,  namely  rrw  and  rww. 

Define  an  rw-path  vq,v^,  . . . ,v^  (k  > 1)  to  be  an  admissible  rw-path  if  and 
only  if 

(i)  it  has  an  associated  word  a a_  ...  a in  the  regular 
-v  -<-  * 1 L K 

language  (r  u w)  and 

*4“ 

(ii)  if  a^  * r then  v^_^  Is  a subject  and  if  a^  = w then  v^ 
is  a subject. 

There  are  two  immediate  consequences  of  this  definition.  First,  since 
k > 1,  there  are  always  at  least  two  letters  in  the  word  associated  with 
any  admissible  path.  Second,  there  cannot  be  two  consecutive  objects  on 
any  admissible  path. 

The  first  result  concerning  de  facto  transfers  can  now  be  stated. 

Theorem  3.1:  Let  p and  q be  vertices  in  a protection  graph 
G.  Then  can'knowfi p,q,G)  is  true  if  and  only  if  there 
is  a p-to-q  edge  labeled  r or  there  is  an  admissible  rw- 
path  between  p and  q. 

Proof:  (e)  By  induction  on  the  length  t,  (i.e.  number  of  edges)  of  the 
admissible  rw-path. 

(Basis):  Clearly,  when  l * 2 (the  shortest  non-trivial  length)  there  are 
four  distinct  rw-paths  and  each  of  these  is  handled  by  a separate  rule. 
(Induction):  Let  the  hypothesis  be  that  for  each  l,  2<i^k,  if 
p ■ vq»v^,  . . . .v^  * q is  an  admissible  rw-path  then  oan'knowf(p,q,G)  is  true. 
Observe  that  for  every  admissible  rw-path  of  length  d.  > 2 either  it  is  an 
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extension  by  r of  an  admissible  rw-path  terminating  in  a subject  or  it 
terminates  in  a subject  and  is  the  extension  by  w of  an  admissible  rw-path. 

Let  p * vo’ * * ' ,vk,vk+l  = 3 an  admissible  rw-path.  By  hypothesis 
can-know  f( p.v^.G)  is  true  and  hence  a p-to-v^  edge  labeled  r can  be 
constructed.  By  the  observation  either  a Spy  or  Post  rule  can  be  applied 
to  give  a p-to-q  edge  labeled  r and  can-know- f( p,q,G)  is  true,  extending 
the  induction. 

(=)  By  induction  on  the  number  l of  times  any  of  the  four  rules  are  applied 
to  produce  a witness  to  can-know- f. 

(Basis):  By  inspection  of  the  rule  schemata,  if  only  one  rule  is  applied 
then  the  path  between  the  vertices  is  an  admissible  rw-path. 

(Induction):  Suppose  that  all  witnesses  to  can'know-f  requiring  l > 1 

« 

or  fewer  rule  applications  have  admissible  rw-paths,  and  let  a witness  to 

can-know- f( p,q,G)  require  i.+l  rule  applications.  Since  edges  labeled  with  w 

s t 

cannot  be  introduced,  the  £+1  rule  could  not  have  been  the  Find  rule.  If 
8 1 

the  £+1  rule  was  a Pass  or  Post  rule  then  the  edge  of  the  rule  schema 

•4r  -f 

labeled  w is  explicit  and  the  edge  labeled  r was  constructed  between,  say, 
x and  y with  1 rule  applications.  Then  can  - know -f(x, y,G)  is  true  and  by 
hypothesis  there  is  an  admissible  rw-path  between  x and  y.  The  extension 

of  this  path  by  w leads,  by  inspection,  to  an  admissible  path.  Finally, 

at  -*• 

if  the  Jl+1  rule  was  a Spy  then  there  are  edges  labeled  r between  some  x 

and  y,  and  y and  z.  If  one  of  these  is  explicit,  say  the  x-to-y  edge,  then 

can  - know • f(y ,z,G)  is  true  and  the  edge  found  in  £ rule  applications.  By 

hypothesis  there  is  an  admissible  rw-path  between  y and  z and  by  inspection 

the  extension  is  an  admissible  rw-path  between  x and  z.  If  both  the  x-to-y 

and  y-to-z  edges  are  implicit  then  by  analogous  reasoning  they  are  admissible. 

Since  the  concatenation  of  admissible  paths  is  admissible,  the  induction 


is  extended.  □ 

We  emphasize  that  this  condition  is  necessary  and  sufficient  (i.e. 
if  and  only  if);  it  exactly  characterizes  the  way  DF  rules  can  cause 
de  facto  transfers.  It  is  also  clear  that  using  standard  breadth-first 
graph  traversal  techniques,  this  condition  is  easy  to  test,  for  any 
given  pair  of  vertices. 

Corollary  3.2:  For  vertices  p and  q of  a protection  graph  G, 

there  is  a linear-time  (in  the  size  of  the  graph),  algorithm 
for  testing  can  -know */(p,q,G) . 

The  reader  is  encouraged  to  return  to  the  graph  G^  in  Section  2 
to  verify  our  claim  that  there  can  be  no  transfer  along  the  "lower"  path 
that  is,  can • know ,q,Gg)  is  false. 
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4.  Review  of  De  Jure 

Up  to  this  point  we  have  concentrated  on  the  four  rules  that  imple- 
ment de  facto  transfers.  Although  these  rules  specify  the  addition  of  an 
edge  in  the  graph,  we  have  agreed  that  these  are  only  implied  edges  — 
no  new  access  authority  has  been  created.  Now,  we  review  the  way  in 
which  de  jure  acquisition  takes  place  in  the  Take/Grant  Model. 


Recall  that  in  addition  to  r and  w,  there  are  two  other  rights: 
t and  g.  In  [1,2]  the  following  rules  were  introduced  for  changing 
access  authority.  All  edges  referred  to  in  these  rules  are  explicit. 

Take:  Let  x,  y and  z be  three  distinct  vertices  in  a 

protection  graph  G such  that  x is  a subject.  Let  there 
be  an  edge  from  x to  y labeled  y such  that  t e y,  an 
edge  from  y to  z labeled  6 and  a c g . Then  the  take 
rule  defines  a new  graph  G'  by  adding  an  edge  to  the 
protection  graph  from  x to  z labeled  a.  Graphically, 


a 


The  rule  can  be  read:  "x  takes  (a  to  z)  from  y. 


Grant:  Let  x,  y and  z be  three  distinct  vertices  in  a 

protection  graph  G such  that  x is  a subject.  Let  there 
be  an  edge  from  x to  y labeled  y such  that  g e y, 
an  edge  from  x to  z labeled  6 , and  a £ g . The  grant 
rule  defines  a new  graph  G’  by  adding  an  edge  from 
y to  z labeled  a.  Graphically, 


6 


The  rule  can  be  read:  "x  grants  (o  to  z)  to  y." 

Create:  Let  x be  any  subject  vertex  in  a protection  graph  G 
and  let  a be  a subset  of  R.  Create  defines  a new 
graph  G'  by  adding  a new  vertex  n to  the  graph  and  an 
edge  from  x to  n labeled  a.  Graphically, 
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The  rule  can  be  read:  "x  creates  (a  to)  new  {S!^ect}  n." 

object 

Remove:  Let  x and  y be  any  distinct  vertices  in  a protection 
graph  G such  that  x is  a subject.  Let  there  be  an  edge 
from  x to  y labeled  3,  and  let  a be  any  subset  of  rights. 
Then  remove  defines  a new  graph  G'  by  deleting  the  a 
labels  from  3.  If  3 becomes  empty  as  a result,  the  edge 
itself  is  deleted.  Graphically,  f 


The  rule  can  be  read:  "x  removes  (a  to)  y." 

We  refer  to  these  four  rules  collectively  as  the  DJ  rules. 

The  edges  added  by  these  rules  represent  explicit  changes  in  the 

access  authority.  Thus,  when  "x  takes  (r  to  z)  from  y,"  x only  acquires 

the  read  rights  to  the  information.  It  must  invoke  the  right  to  read  the 

information.  In  addition  to  adding  edges.  Create  allows  the  addition 

* 

of  new  vertices.  As  Figure  4 illustrates.  Create  adds  an  important 
dimension  to  the  model  since  without  Create  one  cannot  add  g to  the 
a-to-b  edge  in  this  example. 

In  order  to  report  on  previous  results  Cl, 2]  we  define  tg-path 
(analogous  to  an  rw-path)  as  a nonempty  sequence  v^,...,v^  of  vertices  such 
that  for  all  i,  0^i<k,  v^  is  connected  to  v^+^  by  an  edge  (in  either  direction) 
with  a label  containing  a t ot  g (or  both) . Vertices  are  tg-connected  if 
there  is  a tg-path  between  them  and  we  call  any  maximal,  tg-connected 
subject-only  subgraph  an  island. 

Associate  with  tg-paths  words  over  the  alphabet  (t,£,g,g)  analogous 
to  the  words  associated  with  rw-paths.  (If  k"l  in  the  tg-path,  then  the 


*Note,  even  though  there  is  only  one  directed  edge  from  any  vertex  a to 
any  vertex  b,  we  occasionally  draw  two  to  emphasize  changes  in  labelling. 
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Figure  4:  Vertex  a acquires  R rights  to  b,  i.e.,  g Is  added  to  the 

label  on  the  a-to-b  edge.  The  rule  applications  may  be  read 

a creates  (tg  to)  new  object  d, 
a grants  (g  to  d)  to  c, 
c grants  (g  to  b)  to  d, 
a takes  (g  to  b)  from  d. 
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associated  word  in  <;.)  A tg-path  vQ,...,vk  with  being  a subject  is  an 

initial  span  if  it  has  an  associated  word  in  the  language  {t  g}  u {e}; 

• ->  * 

it  is  a ievrmnai  span  if  it  has  an  associated  word  in  { t } ; and  it  is  a 

bridge  if  v^  is  a subject  and  it  has  an  associated  word  in 
It  ,t  ,t  gt  ,t  gt  }.  Note  that  initial  and  terminal  spans  have  orienta- 
tion, i.e.  Vq  is  the  source  of  the  spans.  We  say  initially  or  terminally 
spans  to  v^. 

Restricting  our  attention  only  to  Take,  Grant,  Create  and  Remove,  we 
define  for  a right  a and  distinct  vertices  p and  q of  a protection  graph  G^, 
the  predicate 

can'share( a,p,q,G)  « there  are  protection  graphs  G, , . . . ,G 
h In 

such  that  G-l— — G using  only  DJ  rules  and  in  G there 
O'  n n 

is  p-to-q  edge  labeled  a. 

Note  that  a can  be  any  right  in  R ■ (r,w,t,g). 

We  may  now  state  when  the  can-share  predicate  is  true.  Let  p and  q 
be  arbitrary,  distinct  vertices  in  protection  graph  GQ  and  let  a e R. 

Theorem  4.1  [2]:  The  predicate  can •sfcar’e (ot, p,q,Gp)  is  true  if 
and  only  if  the  following  hold  simultaneously: 

(i)  there  is  a vertex  s e GQ  with  an  s-to-q 
edge  labeled  a, 

(ii)  there  exist  subject  vertices  p'  and  s'  such  that 

(a)  p'  initially  spans  to  p, 

(b)  s'  terminally  spans  to  s, 

(iii)  there  exist  islands  I,,..., I and  there  is  a 

1 v 

bridge  from  1^  to  I^+1  (lsj<v). 

Figure  5 illustrates  the  conditions  of  the  theorem.  Although  these  condi- 
tions appear  to  be  complicated,  we  can  test  a protection  graph  in  linear 
time  to  see  if  it  satisfies  the  conditions. 
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Clearly,  if  one  is  restricted  to  the  DJ  rules,  then  p can  get  de  jure 
access  to  q in  Gq  if  and  only  if  can- share (r,p,q,GQ)  is  true.  The  crucial 
question  is:  how  do  the  DJ  and  DF  rules  interact?  We  describe  that  in 
the  next  section. 


Pf 


u* 


s> 


s 

-K>- 


->Oq 


-+o- 


-o*~ 


G 


0 


Islands:  ^ = {p,u},  I2  = {w},  1^  = {y,s'}. 
Bridges:  u,v,w  and  w,x,y. 

Initial  span:  p;  associate  word:  e. 
Terminal  span:  s',s;  associated  word:  t. 


Can-8hare(r ,q,Gy)  is  true  as  the  following  rules  attest. 


1. 

s' 

takes 

(r  to  q) 

from  s 

2. 

s’ 

grants  (r  to  q)  to  y. 

3. 

y 

takes 

(g  to  w) 

from  x. 

4. 

u 

takes 

(g  to  w) 

from  v. 

5. 

u 

grants 

(g  to  p) 

to  w. 

6. 

y 

grants 

(r  to  q) 

to  w. 

7. 

w 

grants 

(r  to  q) 

to  p. 

The  resulting  graph  appears  as  follows: 


Figure  5:  Illustration  of  the  conditions  of 
caifehare. 
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5.  Combined  transfers 


We  begin  by  illustrating  a simple  case  where  both  de  jure  and 
de  facto  transfers  are  needed  to  share  information.  Consider  the  pro- 
tection graph  G 


P! 

g 

x< 


st 


-KX- 


♦Oq 


t 

♦z 


G 


and  notice  that  can*share( r,p,q,G)  is  false  since  s (the  only  owner  of  the 
read  right  to  q)  is  not  tg-connected  to  p.  Also,  can ‘know */(p,g,G)  is 
false  since  there  is  no  admissible  rw-path  between  p and  q.  Furthermore, 
by  our  Theorem  4.1,  no  matter  what  changes  we  make  to  G using  Take,  Grant, 
Create  and  Remove,  can 'share (r,p,q,G)  remains  false,  and  by  our  Theorem 
3.1  no  matter  what  changes  we  make  to  G using  Spy,  Post,  Pass  and  Find, 
can-kniM 'f( p,q,G)  remains  false.  But,  it  is  possible  using  DJ  and  DF 
rules  to  construct  a graph  G'  in  which  can-knou 'f{ p,q,G)  is  true. 


In  fact,  there  are  two  ways  to  change  the  graph  that  are  conceptually 
different.  First,  x can  grant  (r  to  y)  to  p and  z can  take  (r  to  q)  from 
s.  This  results  in  the  graph  G' 


which  now  contains  an  admissible  rw-path.  Alternatively,  in  G x and  s can 
create  r,w  rights  to  new  objects  and  "read"  rights  to  these  objects  can 
be  acquired  by  p and  z to  "straddle"  the  t and  g edges.  The  result  is  G" 
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1 


x y z 


which  contains  an  admissible  rw-path.  Thus,  we  can  either  transmit 
existing  rights  or  create  new  rights  to  build  an  rw-path. 

We  refer  to  the  use  of  any  combination  of  the  DJ  and  DF  rules  as 
combined  transfer.  (Recall  that  the  DJ  rules  can  only  match  explicit 
edges  while  the  DF  rules  can  match  explicit  or  implicit  edges.) 

Following  our  paradigm,  we  define  a predicate  that  introduces  a 
read  edge  by  any  of  the  combined  transfers.  Let  p and  q be  arbitrary, 
distinct  vertices  in  a protection  graph  G^,  then 

can-knoh)( p,q,G^)  is  true  if  and  only  if  there  is  a sequence 
of  protection  graphs  G^,...,Gn  such  that  Ggf-—  G^ 
and  in  G^  there  is  a p-to-q  edge  labeled  r. 

Note  that  the  p-to-q  edge  can  be  either  implicit  or  explicit. 

Define  rutg-path  in  the  obvious  way  and  associate  words  over  the 

f 4-  -►  ■+■ 

alphabet  It, t,g,g,r ,r,w,w}  as  usual.  We  define  a second  class  of  spans. 

Let  Vq,...,v^  (k  > 0)  be  an  rwtg-path  where  v^  is  a subject.  This  path  is 
an  ru-initial  span  if  its  associated  word  is  in  the  regular  language  {t  w} 
and  it  is  an  ru-terminal  span  if  its  associated  word  is  in  {t*r}.  Again  we 
observe  that  spans  have  orientation  and  we  say  that  vQ  rw-initially  (or 
rw-terminally)  spans  to  v^. 

Define  the  regular  languages: 

. ^ 4-^  -f  ^ ^ ^ 4“  4-  ^ 

Bridges:  B*{t  ut  utgt  utgt}. 

Connections:  C^ltruwt  utrwt). 


Note  that  the  bridges  language  is  the  same  set  defined  in  Section  4. 
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We  can  now  characterize  the  can  •knew  predicate.  Let  p and  q be 
arbitrary,  distinct  vertices  in  a protection  graph  G. 

Theorem  5.1:  can'knowi p,q,G)  is  true  if  and  only  if 
(i)  can'share( r,p,q,G)  is  true  or, 

(ii)  there  exists  a sequence  of  subjects  u^,...,u^ 
such  that  the  following  conditions  hold: 

(a)  p = u^  or  u^  rw- initially  spans  to  p, 

(b)  q = u or  u rw- terminally  spans  to  q,  and 

n n 

(c)  for  all  i,  l^i<n  there  is  an  rwtg-path  between 
u^  and  u^+^  with  associated  word  in  B u C. 

Proof:  (-=»)  If  can  • know  (p  ,q,G)  is  true  and  a witness  can  be  found  by 

application  of  DJ  rules  only  then  obviously  can*share(. r,p,q,G)  is  true. 

So  suppose  that  at  least  one  application  of  a DF  rule  is  required  to 

construct  a witness  G for  can • know (p, q, G) . Because  DJ  rules  do  not 

w 

manipulate  implicit  edges,  we  can  without  loss  of  generality,  arrange  the 

rule  applications  so  that  all  DJ  rules  are  performed  before  any  DF 

rules  are  applied.  Let  G^  denote  the  protection  graph  resulting  from  the 

application  of  only  DJ  rules.  Further,  note  that  among  the  DJ  rules,  all 

* 

Creates  can  be  performed  before  any  of  the  Take,  Grant  or  Remove  rules. 
Let  Gc  denote  the  result  of  applying  all  Creates  to  G.  Clearly,  the 
following  relations  hold  among  the  graphs. 


Create 

only 


1 other 
DJ 

rules 


1 only 
DF 

rules 


Next,  notice  that  each  of  the  newly  created  vertices  in  Gc  is  in  a 

created  subgraph  that  is  connected  to  the  G subgraph  of  Gc  via  exactly 

one  original  subject  vertex.  If  v is  a created  vertex,  call  this  subject 

*Clearly,  Remove  rule  applications  are  never  useful  in  this  context  since 
additional  edges  are  not  harmful. 


. 'fp*00  ««Tr  <fn  ' "ME 1 


vertex  the  father  of  v.  (Of  course,  the  father  need  not  have  actually 
created  v,  but  it  must  have  created  one  of  the  vertices  in  the  created 
subgraph  in  which  v resides.) 
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Since  only  DF  rules  are  applied  after  the  creation  of  G^  , it 
follows  by  Theorem  3.1  that  there  exists  in  an  admissible  rw-path 
p = Vq,v^,...,v^  = q between  p and  q.  We  shall  reason  about  how  this 
path  was  constructed  by  means  of  the  DJ  rules. 

The  following  three  facts,  derived  from  Theorem  4.1,  will  be 
helpful  in  the  argument.  Suppose  for  arbitrary,  distinct  vertices  x and 
y in  a protection  graph  G'  can-share^ r,x,y,G')  (resp.  can- share (w, x, y ,G' ) 
is  true. 


Fact  1:  Either  there  is  an  x-to-y  edge  in  G*  labeled  r (resp.  w) 
or  there  is  a subject  s in  G'  and  an  rwtg-path  in  G'  from  s 
to  y with  associated  word  in  { t r}  (resp.  (t  w}). 

Fact  2:  If  a witness  can  be  found  using  islands  I^,...,I  then 
can-share(r ,z,y,G' ) (resp.  can-share{ w,z,y,G'))  is  true  for 
any  subject  z e I ^ , l<j<t. 

Fact  3:  If  there  is  no  x-to-y  edge  labeled  r (resp.  w)  then  there 

is  a sequence  of  subjects  x = wn,w,,...,v>  = s such  that  w. 

U 1 m j 

is  connected  to  Wj+j  by  a bridge. 

Proceeding  with  the  analysis  of  the  admissible  rw-path,  let  v^  and 
v^+^  be  consecutive  vertices  along  the  path.  Suppose  v^  and  v^+^  are  both 
in  G then  can- share (r .v^v^^.G)  (resp.  can-sharef. w.v^^.v^.G))  is  true. 
Then  Fact  1 assures  that  they  are  connected  by  an  edge  in  C or  there  is 
an  s connecting  to  (resp.  v^)  by  an  rwtg-path  in  C.  If  v^  and  v^+^ 

are  both  subjects,  and  s “ v^  (resp.  s = vi+]^  then  v^  and  v^+^  qualify  as 
subjects  Uj  and  uj+^  for  some  j.  If  v^  and  are  subjects  but  s ^ v^ 
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(resp.  v^+^)  then  Fact  3 guarantees  the  ex-istence  of  bridge  connected 

subjects  v.  = w_,...,w  = s which  qualify  as  u. for  some  j and  m. 

1 U ID  j j-rm 

By  admissibility,  only  v^+^  (resp.  v^)  can  be  an  object.  If  v^+^  = q 

(resp.  = p)  then  Fact  1 guarantees  an  rw-terminal  span  (resp.  rw- initial 

span)  from  s to  q (resp.  p) . Then  s qualifies  as  subject  u^  (resp.  u^) . 

Assume  v^+^  4 q (resp.  4 p)  is  an  object  and  let  s be  defined  by 

Fact  1.  By  admissibility,  the  next  vertex  v^+£  (resp.  v^  must  be  a 

subject.  Suppose  this  next  vertex  is  in  G.  Then  can' chare 

(resp.  can- share {x ^,G)  is  true  and  by  Fact  1,  s’  exists  connecting 

to  v..,  (resp.  v.)  by  a word  in  C.  Now  s and  s’  qualify  as  u.  and  u.  , 
l+l  l ] ]+l 

(resp.  u.  and  u.  ,)  for  some  j since  they  are  connected  by  a word  in 
3 3-1 

► ♦ -+4>-+-  k 


{t  rwt  }.  Moreover,  by  Fact  3 if  v^^  4 s'  (resp.  v^  ^ 4 s')  there  are 

subjects  s'  = w.., — ,w  = v.  (resp.  v.  , * w„, . . . ,w  « s')  which  are 

u m 1+"/  i— i U m 

bridge  connected  and  thus  qualify  as  u. ,u..  (resp.  u.  ,,..., u.  ,). 

j+1  j+m+1  j-m-i  j-1 

Now  suppose  that  one  or  more  vertices  v^  ^,v^,v^+^,  or  vi+2  mentl°ne<^ 

in  the  preceding  paragraphs  are  not  in  G.  Then  the  preceding  argument 

applies  without  modifications  in  G^.  In  the  application  of  the  can'share 

predicate  in  that  argument,  the  fathers  of  the  new  vertices  must  be  in 

islands  witnessing  the  sharing  since  these  new  vertices  are  connected  to 

the  G subgraph  via  the  father.  Thus,  for  example,  if  v^  is  a new  vertex 

and  v is  an  existing  vertex  and  can' share (r ,v. ,v.  ,G  ) is  true,  then 
l+l  1 1+1  c 

by  Fact  2,  can ' share (r , father »vi+^,G)  is  true.  Thus  the  father(v^) 
acts  as  a surrogate  for  v^.  In  particular,  the  bridges  that  were  shown  to 
exist  for  v^  in  the  original  argument,  must  exist  for  the  father  of  v^.  If 
v1+^  is  also  a new  vertex,  both  fathers  are  surrogates  and  they  are  connected 
by  bridges  over  0 or  more  islands.  The  details  are  left  to  the  reader. 
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Finally,  we  observe  that  for  each  pair  of  consecutive  vertices, 
we  established  the  existence  of  subjects  u for  some  j and  m. 

j 

Since  adjacent  pairs  will  have  subject  sequences  with  a common  element, 
the  existence  of  the  entire  sequence  has  been  established. 

(«= ) If  eari'share( r,p,q,G)  is  true,  aan-knowi p,q,G)  is  trivially 
true.  So  suppose  it  is  false  and  let  u^,...,un  be  the  subjects  required 
in  condition  (ii)  of  the  Theorem.  It  is  sufficient  to  convert  this  to 
an  admissible  rw-path  and  then  invoke  Theorem  3.1.  If  u^  and  u^+^  are 
connected  by  a word  in  C or  conditions  (a)  or  (b)  apply,  then  use  the 

Take  rule  in  the  obvious  way  until  no  further  applications  are  possible. 

An  r or  w connecting  edge  results.  Otherwise  u^  and  u^+^  are  connected 
by  a bridge.  Apply  Take  in  the  obvious  way  until  no  further  applications 
are  possible.  Then  u^  and  u^+^  are  connected  by  an  edge  with  word 
in  {t,t,g,g}.  Now  one  of  the  vertices  can  Create  (rw  to)  a new  object 
and  the  other  can  acquire  the  appropriate  right  so  that  u^  and  u^+^  are 
connected  by  a path  with  a word  in  {rw}.  The  result  is  an  admissible 

rw-path,  and  Theorem  3.1  can  be  applied.  □ 

Corollary:  For  arbitrary,  distinct  vertices  p and  q in  a 

protection  graph  G,  the  predicate  can -know (p ,q,G)  can  be 
tested  in  linear  time  in  the  size  of  the  graph. 

Although  the  proof  is  quite  involved,  the  conditions  are  quite 
straight-forward.  The  reader  is  encouraged  to  return  to  the  graph  pre- 
sented at  the  beginning  of  the  section  to  verify  that  they  do  apply. 


27 


6.  Concluding  Remarks 

Two  issues  remain  to  be  discussed:  "two-way"  de  facto  transfers  and 
the  "worst-case"  assumption. 


In  the  foregoing  sections  we  have  concerned  ourselves  with  de  facto 
transfers  in  which  p can  read  the  contents  of  q — a one-way  transfer  of 
information.  Suppose  p would  like  to  communicate  back  to  q , i.e.  establish 
two-way  communication.  Must  we  repeat  this  entire  development  for  the 
write  right?  Not  at  all! 


Observe  that  by  interchanging  the  r and  w labels  on  our  DF  rule 
schemata  we  obtain  the  following: 


w 


spy-w 


w _ w '• 


w 


post-w 


w _ r 
• 


w r-^_ 

v -»•« — - — n* 


r w 

pass-w  s< • 

flnd-w  9* — •« — -• 


These  new  DF-w  rules  reflect  the  symmetry  of  read  and  write  and  are 
* 

intuitively  consistent.  Moreover,  the  directionality  of  the  edges  and 
the  subject /object  distinctions  are  all  preserved.  Thus,  by  interchanging 
r and  w in  the  foregoing  section,  all  substantive  aspects  of  the  arguments 
are  preserved! 


To  emphasize  this  symmetry,  define  for  arbitrary,  distinct  vertices 
p and  q of  a protection  graph  G 
*The  names  are  not  at  all  sugg'estive,  however. 


28. 


can-tell( p,q,G)  to  be  true  if  and  only  if  there  is  a sequence 

of  protection  graphs  G, , . . . ,G  such  that  G.^,  follows  from 

1 n i+i 

G^  by  application  of  one  of  these  new  rules  or  the  DJ  rules 

(0^i<n)  and  in  G there  is  a p to  q edge  labeled  w. 
n 

Then  we  have  from  Theorem  5.1. 


Corollary  6.1:  can- tell (p,q,G)  is  true  if  and  only  if 
(i)  can-share( w,p,q,G)  is  true  or, 

(ii)  there  exists  a sequence  of  subjects  u^,...,un  such 
that  the  following  conditions  hold: 


(a) 

(b)  q 

(c)  for  all  i,  l<i<n  there  is  an  rwtg-path  between 


p = u^  or  u^  wr-initially  spans  to  p, 

u^  or  u^  wr-terminally  spans  to  q,  and 


Uj  and  u ^ with  associated  word  in  B u C', 


where  wr-initial  or  wr-terminal  spans  are  defined  by  interchanging  r and  w 
in  the  definitions  of  rw-initial  and  rw-terminal  spans  respectively  and 
C = ttwurt  ut  wrt  } . Of  course,  can- tell- j(p ,q,G)  can  be 
similarly  defined. 

The  second  issue  is  our  "worst-case"  assumption.  We  have  assumed  perfect 
cooperation  throughout  this  paper.  It  may  be  a prudent  assumption  but  perhaps  it 
is  not  very  realistic.  This  assumption  can  be  relaxed  at  the  cost  of 
further  analysis  in  a way  analogous  to  the  way  can-share  was  relaxed  to 
can-steal  in  [3,4].  There,  the  owners  of  the  information  are  assumed  not 
to  cooperate  while  all  other  subjects  do.  Alternatively,  the  number  of 
cooperating  subjects  required  for  a transfer,  called  conspirators  in  [31, 
could  be  counted.  This  number  could  then  be  used  as  a measure  of  the  proba- 
bility that  the  transfer  would  actually  be  effected  since  a large  number  of 
collaborators  are  likely  to  be  more  difficult  to  enlist  then  a small  number. 

The  problem  requries  further  study. 
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